Switch to a safer technique for obtaining the working directory on Windows

Instead of looping 8 times to work around the TOCTOU issue with sizing the current directory buffer, instead keep doubling the buffer up until the 32767 character limit until the result fits. This ensures we always get a working directory if GetWorkingDirectoryW didn't return some other error, rather than returning nil in the case of a race condition.

Author: jakepetroules

Sources/FoundationEssentials/FileManager/FileManager+Directories.swift

@@ -489,22 +489,10 @@ extension _FileManagerImpl {
 
     var currentDirectoryPath: String? {
 #if os(Windows)
-        var dwLength: DWORD = GetCurrentDirectoryW(0, nil)
-        guard dwLength > 0 else { return nil }
-
-        for _ in 0 ... 8 {
-            if let szCurrentDirectory = withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(dwLength), {
-                let dwResult: DWORD = GetCurrentDirectoryW(dwLength, $0.baseAddress)
-                if dwResult == dwLength - 1 {
-                    return String(decodingCString: $0.baseAddress!, as: UTF16.self)
-                }
-                dwLength = dwResult
-                return nil
-            }) {
-                return szCurrentDirectory
-            }
+        let dwSize = GetCurrentDirectoryW(0, nil)
+        return try? FillNullTerminatedWideStringBuffer(initialSize: dwSize >= 0 ? dwSize : DWORD(MAX_PATH), maxSize: DWORD(Int16.max)) {
+            GetCurrentDirectoryW(DWORD($0.count), $0.baseAddress)
         }
-        return nil
 #else
         withUnsafeTemporaryAllocation(of: CChar.self, capacity: FileManager.MAX_PATH_SIZE) { buffer in
             guard getcwd(buffer.baseAddress!, FileManager.MAX_PATH_SIZE) != nil else {

Sources/FoundationEssentials/WinSDK+Extensions.swift

@@ -81,6 +81,14 @@ package var ERROR_FILENAME_EXCED_RANGE: DWORD {
     DWORD(WinSDK.ERROR_FILENAME_EXCED_RANGE)
 }
 
+package var ERROR_ILLEGAL_CHARACTER: DWORD {
+    DWORD(WinSDK.ERROR_ILLEGAL_CHARACTER)
+}
+
+package var ERROR_INSUFFICIENT_BUFFER: DWORD {
+    DWORD(WinSDK.ERROR_INSUFFICIENT_BUFFER)
+}
+
 package var ERROR_INVALID_ACCESS: DWORD {
     DWORD(WinSDK.ERROR_INVALID_ACCESS)
 }
@@ -288,4 +296,29 @@ internal func WIN32_FROM_HRESULT(_ hr: HRESULT) -> DWORD {
     return DWORD(hr)
 }
 
+internal func FillNullTerminatedWideStringBuffer(initialSize: DWORD, maxSize: DWORD, _ body: (UnsafeMutableBufferPointer<WCHAR>) throws -> DWORD) throws -> String {
+    var bufferCount = max(1, min(initialSize, maxSize))
+    while bufferCount < maxSize {
+        if let result = try withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(bufferCount), { buffer in
+            let count = try body(buffer)
+            switch count {
+            case 0:
+                throw Win32Error(GetLastError())
+            case 1..<DWORD(buffer.count):
+                guard let result = String.decodeCString(buffer.baseAddress!, as: UTF16.self)?.result else {
+                    throw Win32Error(ERROR_ILLEGAL_CHARACTER)
+                }
+                assert(result.utf16.count == count, "Parsed UTF-16 count \(result.utf16.count) != reported UTF-16 count \(count)")
+                return result
+            default:
+                bufferCount *= 2
+                return nil
+            }
+        }) {
+            return result
+        }
+    }
+    throw Win32Error(ERROR_INSUFFICIENT_BUFFER)
+}
+
 #endif